We strongly recommend that all users upgrade to Microsoft Internet
Information Services (IIS) version 6.0 running on Microsoft Windows Server
2003. IIS 6.0 significantly increases Web infrastructure security. For more
information about IIS security-related topics, visit the following Microsoft
Web site:
MORE INFORMATION
The most comprehensive information on securing Web
applications is available in:
Designing Secure Web-Based Applications for Microsoft Windows 2000
ISBN: 0-735-60995-0
Authors: Michael Howard, Richard Waymire, Marc Levy
Publisher: Microsoft Press, July 2000
The following references are available online from the Microsoft
TechNet Web site:
As a best practice, Microsoft recommends installing
the latest service pack and security updates for IIS, as well as any other
components running on the web server. Although many customers utilize the
online Security Bulletin Search as a reference for what hotfixes to apply for a
given Product and Service Pack choice, the information provided by that tool
does not take into account cumulative rollups (it shows all updates released
after the specified Service Pack). For that reason, we recommend that customers
who deploy IIS use the Microsoft Baseline Security Analyzer (MBSA) to identify
security risks.
For more information
about the MBSA, click the following article number to view the article in the
Microsoft Knowledge Base:
320454
Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available
Once the latest Service Pack and all of the latest
product updates (hotfixes) have been applied, system level security should be
applied to the web server. To make securing IIS more convenient, Microsoft has
produced the IIS Lockdown Wizard, available at the following location:
325864 How to install and use the IIS Lockdown Wizard
The IIS Lockdown Wizard provides a "wizard"
interface to configure many security recommendations. Both the IIS Lockdown
Wizard and UrlScan, an ISAPI filter that can be used to block malicious web
requests, are part of the Microsoft Security Toolkit that can be obtained from
the following location:
For more information about UrlScan, click the following article number to view
the article in the Microsoft Knowledge Base:
Microsoft is committed to providing applications
that can be used to keep our customers' information secure, and maintains an
Internet site dedicated to security-related topics for Microsoft products. The
Microsoft Security web site is available at:
In addition to visiting the Microsoft Security web site on a
regular basis, Microsoft recommends that customers stay up to date with the
latest Security Bulletins, by subscribing to the Microsoft Security
Notification Service at the Web site listed below:
Microsoft provides free online services for determining when
updates are required, such the Critical Update Notification which is available
from the Windows Update Web site. To visit the Windows Update Web site, visit
the following Microsoft Web site:
You can also use the Microsoft Baseline Security Advisor to
determine vulnerabilities on the system that is running the utility. To obtain
the Microsoft Baseline Security Advisor, visit the following Microsoft Web
site:
REFERENCES
When securing Web servers, it is possible to set
permissions too restrictively, which can prevent proper serving of content. The
following Microsoft Knowledge Base article describes the minimal permissions
necessary for Internet Information Services to serve content properly:
187506 Required NTFS permissions and user rights for IIS 4.0
For more information, click the following article number to
view the article in the Microsoft Knowledge Base:
271071
How to set required NTFS permissions and user rights for an IIS 5.0 Web server